Tag-less Virtual Ethernet Port Aggregator (VEPA)...

Tag-lessVirtual Ethernet Port Aggregator(VEPA) ProposalJanuary 2009Chuck Hudson (HP) [email protected] Congdon (HP) [email protected]

2 15-Jan-09 new-dcb-hudson-tagless-vepa-0109.ppt

Motivation• Enable robust bridge features to individual virtual machines

− Network controls / ACLs− Network monitoring & security− Private VLANs

• Coordinated management of the network edge− Physical servers− Virtual servers

• Simplify data center management• Rapid industry adoption


Summary ofPossible Technical Approaches

• Emulates 802.1 Bridge• Limited controls• Managed by station• Works with all existing

bridges• No changes to existing

frame format.• Open-ended changes

to NIC

Brid

ge

VM

VM

VM

Brid

ge

VM

VM

VM

Brid

ge

VM

VM

VM

Virtual Ethernet Bridge (VEB) TaggedTag-less VEPA

• Extends 802.1 Bridge• Advanced controls• Managed by bridge• Works with many

existing bridges• No changes to existing

frame format.• Limits NIC changes

• Extends 802.1 Bridge• Advanced controls• Managed by bridge• Works with few or no

existing bridges• Changes to existing


uses MAC+VID to steer frames uses new tag to steer framesuses MAC+VID to steer frames

mul

ticas

t beh

avio

r


Tag-less 101


Virtual Ethernet Port Aggregator (tagless)

VM

VEPA

Bridge

VM HostA B C

1* 2

vdp vdp

1. Provides Multiple VEPA Device Ports (vdp) as vNICS to Virtual Machines

2. Each VDP is configured as individual NIC (i.e.MAC addr, Multicast addrs, VLAN tags, orpassthru). VEPA aggregates configurations.

3. May support all traditional NIC features (e.g. TCP Checksum, RSS, Large Segment Send)

4. Does NOT perform Local Bridging. Not a Virtual Ethernet Bridge (VEB)

5. Sends all outbound traffic to the wire

6. Replicates received mcast/bcast traffic

7. VLAN aware

8. May provide QoS and BW management

9. Invoked by special Bridge mode negotiation

Note: This proposal does NOT require new tags, but could work with them.


VM

VEPA

Bridge

VM HostA B C

1* 2 Address Port

A 1

B 1

C 2

Bridge Address Table

* = Bridge Port Configured for VEPA attach

1. A->C

2. A->B

3. A->Bcast

4. C->Bcast

VEPA Forwarding

vdp vdp


VM

VEPA

Bridge

VM HostA B C

1* 2 Address Port

A 1

B 1

C 2



1. A->C

2. A->B

3. A->Bcast

4. C->Bcast

VEPA Forwarding

vdp vdp


VM

VEPA

Bridge

VM HostA B C

1* 2 Address Port

A 1

B 1

C 2



1. A->C

2. A->B

3. A->Bcast

4. C->Bcast

VEPA Forwarding

vdp vdp


VEPA Forwarding

VM

VEPA

Bridge

VM HostA B C

1* 2 Address Port

A 1

B 1

C 2



1. A->C

2. A->B

3. A->Bcast

4. C->Bcast

vdp vdp


VEPA Elements


Key VEPA Terms

VEPA-EnabledBridge Port

Bridge

VEPA Mgr

End Node

End Node

End Node

End Node

Base VEPA Device PortsVEPA Uplink Port

VEPA

Station

VEPA Mgr


Bridge

VEPA Mgr

End Node

End Node

End Node

End Node

Base VEPA Device PortsVEPA Uplink Port

VEPA

Station

VEPA Mgr


Additional VEPA Terms


VEPA ‘Portlets’(optional)

Bridge

VEPA Egress ‘Portlets’ for Broadcast, Multicast, & flooded frames

VEPA Mgr

End Node

End Node

End Node

End Node

VEPAExpander

End Node

End Node

Base VEPA Device Ports

VEPA Expander Port

VEPA Uplink Port

VEPA

Station

Expander VEPA Device Ports

VEPA MgrVEPA ExpanderUplink Port


VEPA ‘Portlets’(optional)

Bridge

VEPA Egress ‘Portlets’ for Broadcast, Multicast, & flooded frames

VEPA Mgr

End Node

End Node

End Node

End Node

VEPAExpander

End Node

End Node


VEPA Expander Port

VEPA Uplink Port

VEPA

Station



End Node

End Node

End Node

End Node

VEPAExpander

End Node

End Node


VEPA Expander Port

VEPA Uplink Port

VEPA

Station




Basic Tag-less VEPA Construction• Each VEPA has

− A single, active VEPA Uplink Port− 1 to n VEPA Device Ports− 0, 1, or more VEPA Expander Ports− Station VEPA Manager & VEPA Address Table

• Connected to VEPA-enabled Bridge Port− VEPA ‘Portlets’ (optional)− Egress ‘Portlets’ (optional)− Bridge VEPA Manager

• A station may have multiple VEPAs


VEPA Device Ports• Each VEPA Device Port

− May be implemented as a PCI virtual function− Has one or more statically-identified MAC addresses− Movement of MAC addresses coordinated through VEPA Managers

• VEPA Device Ports are ‘NIC Configuration Aware’− Of MAC addresses− Of MAC listening entries (multi-cast and unicast)

• Configured via Station VEPA Manager− 1 or more specific MAC addresses (by station)− VLAN tagging behavior* − Priority tagging behavior*

• Forwards incoming frames to VEPA uplink− May set VLAN/Priority based on settings

• Receives frames from VEPA uplink− May remove VLAN/Priority tag based on settings

* Can be set by station or bridge


VEPA Uplink Port

• Single VEPA Uplink per VEPA− May be LAG− Has a MAC address (for capability exchange) − May implement ETS queues

• Settings− VEPA MAC address− Acceptable frame types

• Only VLAN tagged • Untagged, Pri tagged• All frames

− PVID− Egress VLAN IDs (aggregate of the VDP VIDs)


VEPA Expander• Usually software (operating mode of vswitch)

• Extends beyond limits of HW VEPA − # of VEPA Device Ports− # of VEPA Address Table Entries

• Consists of − One VEPA Expander Uplink Port− One to m Expansion VEPA Device Ports− Expander VEPA Address Table

• Forwards frames from VDPs to VEPA Uplink• Sends (replicating as necessary) from Expander Uplink Port to

expansion VDPs• Linked to Station VEPA Manager

− Configuration of VEPA Device Ports− Contribute to VEPA Capability Exchange

End Node

End Node

End Node

End Node

VEPAExpander

End Node

End Node


VEPA Expander Port

VEPA Uplink Port

VEPA

Station




VEPA-enabled Bridge Port…• The port is enabled for ‘turn-around’ forwarding of

− Multicast− Broadcast− Flooded Unicast

• Unicast destinations per forwarding table• The bridge may implement controls and features via

− VEPA Device Port configuration(VLAN ID, Private VLANs, Priority Settings, MAC filtering)

− Portlets (ACLs, Statistics)− Address table entries (IGMP snooping)


VEPA ‘Portlets’• Optional (can be simulated by rules engines)• Useful in simplifying ACLs & statistics collection• VEPA Portlets

− Associated with VDP MAC address(s)− Identifies incoming frames by SRC MAC− Identifies outgoing unicast frames by DST MAC

• Egress Portlets − Extra controls & statistics on broadcast, multicast, and flooded

frames


VEPA Address TableManagement


Address Table Management• Managed by Station VEPA Manager

− Information coordinated with bridge via VEPA Capability Exchange

• Static settings (no learning)• Driven by NICs

− VM NIC driver register for unicast/multicast listens• Fully-supports Locally-Assigned MAC Addresses (LAA)

− Station VEPA manager receives request− Station VEPA manager creates/updates table entries

• Multicast entries may be driven by Bridge (IGMP snooping)− Bridge intercepts join/leave messages− Creates/updates/deletes address table multicast entry


VEPA Address Table Example

0000 12Unk Ucast

0000 11Unk Ucast

Address VLAN Mask(ABCD *)

A 1 1000 0

B 2 0100 0

C 1 0010 0

D 2 0001 0

Bcast 1 1010 1

Bcast 2 0101 1

Mcast1 1 1010 1

Mcast1 2 0100 1

Mcast2 2 0101 1

Unk Mcast 1 0000 1

Unk Mcast 2 0000 1

Example: Base VEPA Address Table


VLAN 1 Tag Mask = UUUUTVLAN 2 Tag Mask = UUUUT

VM VM VM VM

VEPA

Expander

VM VM

Bridge1* 2

A B C D *

Station

vdp vdp vdp vdp expander

E Fvdp vdp


VEPA Address Table Example



VM VM VM VM

VEPA

Expander

VM VM

Bridge1* 2

A B C D *

Station


E Fvdp vdp

A -> Bcast

1. Dst Lookup = 101012. Src Lookup = 100003. Delivery Mask = 00101

(dst & ~src)

Note: Bridge should echo IGMP packets too 0000 12Unk Ucast

0000 11Unk Ucast


A 1 1000 0

B 2 0100 0

C 1 0010 0

D 2 0001 0

Bcast 1 1010 1

Bcast 2 0101 1

Mcast1 1 1010 1

Mcast1 2 0100 1

Mcast2 2 0101 1

Unk Mcast 1 0000 1

Unk Mcast 2 0000 1



VEPA Address Table: Multicast Entries



VM VM VM VM

VEPA

Expander

VM VM

Bridge1* 2

A B C D *

Station


E Fvdp vdp

A -> Mcast1

1. Dst Lookup = 101012. Src Lookup = 100003. Delivery Mask = 00101

(dst & ~src)

0000 12Unk Ucast

0000 11Unk Ucast


A 1 1000 0

B 2 0100 0

C 1 0010 0

D 2 0001 0

Bcast 1 1010 1

Bcast 2 0101 1

Mcast1 1 1010 1

Mcast1 2 0100 1

Mcast2 2 0101 1

Unk Mcast 1 0000 1

Unk Mcast 2 0000 1



VEPA Address Table: Unknown addresses



VM VM VM VM

VEPA

Expander

VM VM

Bridge1* 2

A B C D *

Station


E Fvdp vdp

0000 12Unk Ucast

0000 11Unk Ucast


A 1 1000 0

B 2 0100 0

C 1 0010 0

D 2 0001 0

Bcast 1 1010 1

Bcast 2 0101 1

Mcast1 1 1010 1

Mcast1 2 0100 1

Mcast2 2 0101 1

Unk Mcast 1 0000 1

Unk Mcast 2 0000 1


Unknown Multicast entries allow for multicast handling when there are excessive entries, promiscuous multicast listens, and steering of multicast entries to expander port.

Unknown unicast entries needed to steer packets to expander port(s). Also allows for support of promiscuous listen or monitoring ports.


Multiple VLANs on VDP


VLAN 1 Tag Mask = UUTUTVLAN 2 Tag Mask = UUTUT

VM VM VM VM

VEPA

Expander

VM VM

Bridge1* 2

A B C D *

Station


E Fvdp vdp

On VLANs1 & 2

0010 01C

0000 12Unk Ucast

0000 11Unk Ucast


A 1 1000 0

B 2 0100 0

C 2 0010 0

D 2 0001 0

Bcast 1 1010 1

Bcast 2 0101 1

Mcast1 1 1010 1

Mcast1 2 0100 1

Mcast2 2 0101 1

Unk Mcast 1 0000 1

Unk Mcast 2 0000 1



VDPs in Dual Listening Mode



VM VM VM VM

VEPA

Expander

VM VM

Bridge1* 2

A B C D *

Station


E Fvdp vdp

Dual listening

Used by MS Cluster Server that sends frames with a unicast address that is never used as a source

0001 02D

1010 01H

0010 01C

0000 12Unk Ucast

0000 11Unk Ucast


A 1 1000 0

B 2 0100 0

Bcast 1 1010 1

Bcast 2 0101 1

Mcast1 1 1010 1

Mcast1 2 0100 1

Mcast2 2 0101 1

Unk Mcast 1 0000 1

Unk Mcast 2 0000 1


Caused by VMsA & C registeringH as a listening MAC address (if allowed by Station VEPA manager)


VDP in Monitor Mode


VLAN 1 Tag Mask = UUTUTVLAN 2 Tag Mask = UUTUT

VM VM VM VM

VEPA

Expander

VM VM

Bridge1* 2

A B C D *

Station


E Fvdp vdp

Shows how a VDP could be configured to monitor any or all incoming frames.

Used by MS Cluster Server that sends frames with a unicast address that is never used as a source

0011 02D

0010 01C

0010 12Unk Ucast

0010 11Unk Ucast


A 1 1010 0

B 2 0110 0

Bcast 1 1010 1

Bcast 2 0111 1

Mcast1 1 1010 1

Mcast1 2 0110 1

Mcast2 2 0111 1

Unk Mcast 1 0010 1

Unk Mcast 2 0010 1


C

Set as monitor


VEPA Default Configuration (no VLAN tags)

0000 11Unk Ucast


A 1 1000 0

B 1 0100 0

C 1 0010 0

D 1 0001 0

Bcast 1 1010 1

Mcast1 1 0100 1

Mcast2 1 0101 1

Unk Mcast 1 0000 1


* = Bridge Port Configured for VEPA attach VLAN 1 Tag Mask = UUUUU

VM VM VM VM

VEPA

Expander

VM VM

Bridge1* 2

A B C D *

Station


E Fvdp vdp

Uplink configured as untagged

No VLAN or priority tagging


Configuration


VEPA Capability Exchange• Between Station VEPA Manager and Bridge VEPA Manager • Exchange VEPA capabilities, configuration• Re-occurs as needed to keep bridge station up to date

− Add, move, change of End Nodes• Initial sequence

− Establish link− Authenticate the link

• Based on the VEPA Uplink’s MAC address• Should allow for: MAC Auth, 802.1x, MACSEC

− Link Aggregation Control Protocol (LACP) as appropriate− VEPA Capability Exchange


VEPA Capability Exchange• Station Bridge

− VEPA Capabilities• Mode: Request/require: Tag-less, VEPA Tagged• # of base device ports• # of VEPA table entries• Level(s) of control

− VEPA General Settings• Bridge vs. Station Control of VLAN ID• Bridge vs. Station Control of pri

− Device Ports (Port Listing)• Port Number • Port Type (Base, Expander)• MAC addresses (as assigned by Station)

• Settings− Acceptable Frame Types− PVID− VLAN IDs** − Ingress VID Filtering− Priority Settings

− Address Table Entries (Typically Multicast)• Address, VLAN ID, Receiver Ports/Mask

− Updates

• Station Bridge− VEPA Capabilities

• Mode: Request/require: Tag-less, Tagged• Total # of supported device ports• Total # of supported address entries

− VEPA General Settings• Echo: Control of VLAN ID• Echo: Control of priority

− Device Port Setting (Port Listing)• Port Number• Echo/control settings

− Acceptable Frame Types− PVID− VLAN IDs** − Ingress VID Filtering− Priority Settings

− Address Table Entries (Typically Multicast)• Address, VLAN ID, Receive Ports/Mask• ….

− Updates

** Could be done with VLAN port membership vectors


VEPA Device Port Settings

Settings No VLAN Tag Force Priority VM has 3 VIDs VM has 1 VID private VLAN

MAC addresses one+ one+ one+ one+ one+

Acceptable frame types− Only VLAN tagged X− Untagged, Pri tagged X X X X− All frames

PVID 1 1 -- c c

(Egress) VLAN IDs 1 1 a, b, c c c, d

Ingress VID Filtering On On On On On

Priority Setting− Default value n n n n n− Set to default False True T/F T/F T/F

Ingress MAC Filtering T T T T T

Example VDP Configuration Scenarios


Summary


Approach Comparison

YesYesNoPrivate VLAN Support

Station VEPA + tag processingSW VEPA ExpanderRequires Virtual Switch Ports

Station VEPASW VEPA ExpanderOptional Portlets

Station VEBSW VEB

Key Elements

Based on static tag-to-port tableBased on static address tableStandard via use of static address table

Station-side Forwarding (in)

FullFullLimitedBridge traffic monitoring

Determined by number of virtual bridge ports

Nearly unlimited (via expander)Nearly unlimited (via vswitch)# of VMs

ACLs per virtual switch portACLs per ‘portlet’LimitedACLs

Limited (station-side collection) ++Limited (station-side collection) ++Limited (station-side collection)Statistics

Set per Virtual Switch PortSingle set of ETS queues

Set per VFSingle set of ETS queues

Set per VF (?)Single set of ETS queues

QoS

Bridge-side replication (or station-side with extensions)

Station-side replicationStation-side replicationFrame Replication

Bridge IngressForwarding

Bridge-side Learning

Station-sideLearning

Area

Requires ‘turn-around’ mode (tied to virtual bridge ports)

Requires ‘turn-around’ modeStandard

Standard + (must be aware of virtual ports)

StandardStandard

No MAC address learning in VEPA(Uses static tag address table)

Static, NIC-driven address table (used on Ingress)Special treatment of promiscuous ports

Static, NIC-driven address table

Special treatment of promiscuous ports

TaggedTagless VEPAVEB


Summary ofPossible Technical Approaches

• Emulates 802.1 Bridge• Limited controls• Managed by station• Works with all existing

bridges• No changes to existing

frame format.• Open-ended changes

to NIC

Brid

ge

VM

VM

VM

Brid

ge

VM

VM

VM

Brid

ge

VM

VM

VM

Virtual Ethernet Bridge (VEB) TaggedTag-less VEPA

• Extends 802.1 Bridge• Advanced controls• Managed by bridge• Works with many

existing bridges• No changes to existing


• Extends 802.1 Bridge• Advanced controls• Managed by bridge• Works with few or no

existing bridges• Changes to existing


uses MAC+VID to steer frames uses new tag to steer framesuses MAC+VID to steer frames

mul

ticas

t beh

avio

r

36 15-Jan-09 new-dcb-hudson-tagless-vepa-0109.ppt a

Date post:	24-Jun-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Tag-less Virtual Ethernet Port Aggregator (VEPA)...

Documents